Navigate:

President Obama issues cybersecurity executive order at SOTU

The National Institute of Standards and Technology, an arm of the Commerce Department, is charged with taking the lead in developing those standards, collectively referred to as the Cybersecurity Framework. The feds would be required to issue a preliminary version of the framework within 240 days of the order, and it eventually would be the Department of Homeland Security leading the way to encourage adoption.

The idea is to improve security at institutions considered "so vital to the United States" that a security breach would have a "debilitating impact on [physical] security, national economic security, national public health or safety" or more, according to the document. That excludes commercial information technology, the order specifies.

Text Size

-

+

reset

For that reason, the order is accompanied by a second document — a rewrite of the nation's longstanding, broad critical-infrastructure strategy. That 12-page directive updates an old 2003 guidance to solidify the role of DHS in keeping watch over critical infrastructure, both physically and in cyberspace.

While the executive order prescribes only voluntary cyber standards, it does task federal agencies with surveying the law and determining whether they have sufficient cyber authorities. With it, the president also is encouraging the government to consider whether to transform any voluntary standards into binding requirements.

Top business groups, including the U.S. Chamber of Commerce, long have criticized that approach as a backdoor to mandates — and some may bristle at the inclusion of such language in the order emerging from the Oval Office. Still, there's no additional teeth in the administration's plan. Beyond the looming threat of potential mandatory requirements, there aren't penalties for industries that don't adopt voluntary standards. Administration officials said they opted for their precarious balance because they could only go as far as current law permitted.

Along with its new strategy to protect critical infrastructure, the executive order aims to improve coordination between the public and private sectors. Its information-sharing component is meant to ensure the government and participating businesses can share data about emerging cyberthreats in real time — particularly with businesses in hackers' cyber cross hairs. Top federal privacy watchdogs at Homeland Security and elsewhere would monitor the program — and report publicly — to ensure Americans' privacy protections. Already, the ACLU has offered an early nod to the administration's work.

The major prongs of the order, however, remain incomplete — the White House's new directive cannot rewrite federal law. Top Cabinet leaders have previously acknowledged that reality, and senior administration officials emphasized again Tuesday that robust reform is impossible without intervention by Congress.

For one thing, the administration's call for voluntary cybersecurity standards lacks incentives. Absent a new law, the White House isn't easily able to encourage widespread business participation — instead, the order urges federal agencies to explore the sort of carrots they can offer in the interim. That's why the administration embarked on something of a cybersecurity road show, canvassing businesses and trade associations ahead of the order's release to win their backing.